SymBULL - Smart Contract Audit Report
Summary
SymBULL is a new BEP20 deflationary token with rewards automatically distributed to token holders.
Notes on the Contracts:
SymBULL Contract:BountyDistributor Contract:
- The initial supply of 20 billion SYMBULL is minted to the owner upon deployment.
- No minting or burn functions are present beyond deployment, though the circulating supply can be reduced by sending tokens to the 0x..dead address, if desired.
- At the time of this audit, 50% of the total supply has been sent to to the 0x..dead address
- Additionally, 4.47% of the total supply is held as liquidity in a PancakeSwap Liquidity Pool.
- The 5 next largest holders comprise a total of 2.75% of the total supply.
- There is a maximum transaction limit of 0.25% of the total token supply.
- There is a liquidity fee, a buy back fee, a marketing fee, and a reflection fee taken on transfers.
- On deployment, fees are allocated as a 2% liquidity fee, 3% buyback fee, 8% reflection fee, and 1% marketing fee for a total fee of 14%.
- Fees are 99% in the first block after launch, and 18 times the normal total fees in the first 24 hours after launch.
- Addresses on the transaction whitelist may send token quantities above the transaction limit. The owner is added to the whitelist on deployment.
- Addresses on the fee exempt whitelist will not have fees taken during transactions. The owner is set as fee exempt on deployment.
- Addresses on the bounty blacklist will not receive rewards collected during transactions.
- During transfers, if the contract's balance has met a threshold, the transfer is not a purchase, and the swapping functionality is enabled, a "swapback" will be performed.
- If the liquidity during the swapback is greater than the target value, initially 25% of the circulating supply, no liquidity will be added. Otherwise the liqudity fee is reserved for a liquidity add.
- A liquidity-add is funded by selling half of the tokens collected as liquidity fees, pairing the received BNB with the token, and adding it as liquidity to the BNB pair.
- The LP tokens received are sent to a specified Auto Liquidity Receiver address; initially this is the owner's address. We recommend that the team lock these LP tokens.
- The remaining contract balance is converted to BNB where subsequently the marketing fee is sent to the Marketing address. The reflection fee is sent to the rewards distributor where it is divided amongst stakeholders as rewards.
- Additonally, during transfers if the contract's balance has met a threshold, the transfer is not a purchase, auto buyback is enabled, and the cooldown period for buyback has passed, an automatic buyback is triggered.
- A specified number of tokens are automatically bought from the liquidity pool and sent to the 0x..dead address. Once a threshold of tokens bought in this manner is reached, autobuy back is disabled.
- Authorized addresses may also trigger a "bullrun" buyback. This will similarly purchase a specified amount of tokens and send them to the 0x..dead address. Additionally, fees will be multiplied during the cooldown period after the purchase is made, if enabled.
- As both these buyback methods allow for maximum slippage, they are susceptible to a flashloan attack. We recommend the team keep the number of tokens purchased fairly small to disincentivize this type of attack.
- The owner may add and remove authorized addresses at any time.
- Authorized addresses may adjust the fees to any value, as long as total fees remain less than 100%, at any time.
- Authorized addresses may change the Auto Liquidity Receiver and Marketing address at any time.
- Authorized addresses may add or remove an address from the transaction whitelist, fee exempt whitelist, and bounty blacklist at any time.
- Authorized addresses may toggle swapback and auto buyback functionality at any time.
- Authorized addresses may change the target liquidity value and the contract threshold required to swapback at any time.
- Authorized addresses may set the auto buyback limit, purchase amount, and cooldown period at any time. Doing so will reset the counter for accumulated buyback tokens.
- Authorized addresses may set the transaction limit to any value greater than 0.1% of the total supply at any time.
- Authorized addresses may set the contract as launched only once after deployment.
- Authorized addresses may set the multiplication ratio for transaction fees in the "bullrun" cooldown period and reset the last triggered buyback multiplier timestamp at any time.
Audit Findings Summary
- This contract is used to distribute BUSD rewards to SYMBULL owners.
- Users will receive rewards over time based on the amount of SYMBULL owned; rewards can be calculated and transferred to the user at any time.
- During SYMBULL transfers, both the sender and receiver's pending rewards are calculated and transferred.
- Additionally, SYMBULL transfers provide gas to the rewards distributor to loop through token holders in order to process and distribute rewards until all the gas has been used.
- Rewards will only be distributed to users in this manner if the cooldown period since their last distribution has passed and their pending rewards are greater than the minimum required for distribution.
- BUSD rewards are be supplied by the SymBULL contract through the collected reflection fees.
- The process function uses state variables inside a loop which is very gas expensive. This could be optimized by using local variables instead thus only need to update the state variables once.
- The SymBULL contract may update the reward cooldown period and minimum amount for distribution in automatic rewards processing at any time.
- Utilization of SafeMath to prevent overflow.
- The SymBULL contract is BEP20 compliant; all standard functionality is present.
- No external threats were identified.
- Ensure trust in the team as they have substantial control within the ecosystem.
- Date: November 12th, 2021.
Audit Results
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Storage Write | N/A | PASS |
| Arbitrary Jump | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Deprecated Opcodes | N/A | PASS |
| Ether Thief | N/A | PASS |
| Exceptions | N/A | PASS |
| External Calls | N/A | PASS |
| Flash Loans | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Multiple Sends | N/A | PASS |
| Oracles | N/A | PASS |
| Suicide | N/A | PASS |
| State Change External Calls | N/A | PASS |
| Unchecked Retval | N/A | PASS |
| User Supplied Assertion | N/A | PASS |
| Critical Solidity Compiler | N/A | PASS |
| Overall Contract Safety | PASS |
($) = payable function
# = non-constant function
+ [Lib] SafeMath
- [Int] tryAdd
- [Int] trySub
- [Int] tryMul
- [Int] tryDiv
- [Int] tryMod
- [Int] add
- [Int] sub
- [Int] mul
- [Int] div
- [Int] mod
- [Int] sub
- [Int] div
- [Int] mod
+ [Int] IBEP20
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Ext] balanceOf
- [Ext] transfer #
- [Ext] allowance
- [Ext] approve #
- [Ext] transferFrom #
+ Auth
- [Pub] Constructor #
- [Pub] authorize #
- modifiers: onlyOwner
- [Pub] unauthorize #
- modifiers: onlyOwner
- [Pub] isOwner
- [Pub] isAuthorized
- [Pub] transferOwnership #
- modifiers: onlyOwner
+ [Int] IDEXFactory
- [Ext] createPair #
+ [Int] IDEXRouter
- [Ext] factory
- [Ext] WETH
- [Ext] addLiquidity #
- [Ext] addLiquidityETH ($)
- [Ext] swapExactTokensForTokensSupportingFeeOnTransferTokens #
- [Ext] swapExactETHForTokensSupportingFeeOnTransferTokens ($)
- [Ext] swapExactTokensForETHSupportingFeeOnTransferTokens #
+ [Int] IBountyDistributor
- [Ext] setDistributionCriteria #
- [Ext] setShare #
- [Ext] deposit ($)
- [Ext] process #
+ BountyDistributor (IBountyDistributor)
- [Pub] Constructor #
- [Ext] setDistributionCriteria #
- modifiers: onlyToken
- [Ext] setShare #
- modifiers: onlyToken
- [Ext] deposit ($)
- modifiers: onlyToken
- [Ext] process #
- modifiers: onlyToken
- [Int] shouldDistribute
- [Int] distributeBounty #
- [Ext] claimBounty #
- [Pub] getUnpaidEarnings
- [Int] getCumulativeBountys
- [Int] addKeeper #
- [Int] removeKeeper #
+ SymBULL (IBEP20, Auth)
- [Pub] Constructor #
- modifiers: Auth
- [Ext] Fallback ($)
- [Ext] totalSupply
- [Ext] decimals
- [Ext] symbol
- [Ext] name
- [Ext] getOwner
- [Pub] balanceOf
- [Ext] allowance
- [Pub] approve #
- [Ext] approveMax #
- [Ext] transfer #
- [Ext] transferFrom #
- [Int] _transferFrom #
- [Int] _basicTransfer #
- [Int] checkTxLimit
- [Int] shouldTakeFee
- [Pub] getTotalFee
- [Pub] getMultipliedFee
- [Int] takeFee #
- [Int] shouldSwapBack
- [Int] swapBack #
- modifiers: swapping
- [Int] shouldAutoBuyback
- [Ext] triggerBullRun #
- modifiers: authorized
- [Ext] clearBuybackMultiplier #
- modifiers: authorized
- [Int] triggerAutoBuyback #
- [Int] buyTokens #
- modifiers: swapping
- [Ext] setAutoBuybackSettings #
- modifiers: authorized
- [Ext] setBuybackMultiplierSettings #
- modifiers: authorized
- [Int] launched
- [Pub] launch #
- modifiers: authorized
- [Ext] setTxLimit #
- modifiers: authorized
- [Ext] setIsBountyExempt #
- modifiers: authorized
- [Ext] setIsFeeExempt #
- modifiers: authorized
- [Ext] setIsTxLimitExempt #
- modifiers: authorized
- [Ext] setFees #
- modifiers: authorized
- [Ext] setFeeReceivers #
- modifiers: authorized
- [Ext] setSwapBackSettings #
- modifiers: authorized
- [Ext] setTargetLiquidity #
- modifiers: authorized
- [Ext] setDistributionCriteria #
- modifiers: authorized
- [Ext] setDistributorSettings #
- modifiers: authorized
- [Pub] getCirculatingSupply
- [Pub] getLiquidityBacking
- [Pub] isOverLiquified